From 54ebc21880b04ad19f6aacdb1592e98979d094ab Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Thu, 19 Oct 2017 19:38:56 -0400
Subject: [PATCH 1/2] KEYCLOAK-5698

---
 .../ldap/LDAPStorageProviderFactory.java      |   2 +-
 .../cache/infinispan/UserCacheSession.java    |   2 +
 .../storage/ldap/LDAPRoleMappingsTest.java    | 103 ++++++++++++++++++
 3 files changed, 106 insertions(+), 1 deletion(-)

diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java
index 77029c0005..6c33cac2df 100755
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java
@@ -540,7 +540,7 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
                                     LDAPStorageMapper ldapMapper = ldapFedProvider.getMapperManager().getMapper(mapperModel);
                                     ldapMapper.onImportUserFromLDAP(ldapUser, currentUser, currentRealm, false);
                                 }
-
+                                session.userCache().evict(currentRealm, currentUser);
                                 logger.debugf("Updated user from LDAP: %s", currentUser.getUsername());
                                 syncResult.increaseUpdated();
                             } else {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java
index b0e731fcff..c209979a29 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java
@@ -108,6 +108,8 @@ public class UserCacheSession implements UserCache {
 
     @Override
     public void evict(RealmModel realm, UserModel user) {
+        if (!transactionActive) throw new IllegalStateException("Cannot call evict() without a transaction");
+        getDelegate(); // invalidations need delegate set
         if (user instanceof CachedUserModel) {
             ((CachedUserModel)user).invalidate();
         } else {
diff --git a/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPRoleMappingsTest.java b/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPRoleMappingsTest.java
index 7329a02dc8..663a05c4b4 100644
--- a/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPRoleMappingsTest.java
+++ b/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPRoleMappingsTest.java
@@ -27,6 +27,7 @@ import org.junit.rules.TestRule;
 import org.junit.runners.MethodSorters;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.component.ComponentModel;
+import org.keycloak.services.managers.UserStorageSyncManager;
 import org.keycloak.storage.UserStorageProvider;
 import org.keycloak.storage.UserStorageProviderModel;
 import org.keycloak.storage.ldap.LDAPStorageProvider;
@@ -44,6 +45,7 @@ import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper;
+import org.keycloak.storage.user.SynchronizationResult;
 import org.keycloak.testsuite.OAuthClient;
 import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.LoginPage;
@@ -72,6 +74,7 @@ public class LDAPRoleMappingsTest {
             LDAPTestUtils.addLocalUser(manager.getSession(), appRealm, "mary", "mary@test.com", "password-app");
 
             MultivaluedHashMap<String,String> ldapConfig = LDAPTestUtils.getLdapRuleConfig(ldapRule);
+            ldapConfig.remove(LDAPConstants.PAGINATION);
             ldapConfig.putSingle(LDAPConstants.SYNC_REGISTRATIONS, "true");
             ldapConfig.putSingle(LDAPConstants.EDIT_MODE, UserStorageProvider.EditMode.WRITABLE.toString());
             UserStorageProviderModel model = new UserStorageProviderModel();
@@ -82,6 +85,8 @@ public class LDAPRoleMappingsTest {
             model.setPriority(0);
             model.setProviderId(LDAPStorageProviderFactory.PROVIDER_NAME);
             model.setConfig(ldapConfig);
+            model.setImportEnabled(true);
+
 
             ldapModel = appRealm.addComponentModel(model);
 
@@ -359,4 +364,102 @@ public class LDAPRoleMappingsTest {
         LDAPObject ldapRole1 = roleMapper.loadLDAPRoleByName(roleName);
         roleMapper.deleteRoleMappingInLDAP(ldapUser, ldapRole1);
     }
+
+    /**
+     * KEYCLOAK-5698
+     */
+    @Test
+    public void test04_syncRoleMappings() {
+        KeycloakSession session = keycloakRule.startSession();
+        try {
+            RealmModel appRealm = session.realms().getRealmByName("test");
+
+            LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
+            LDAPObject john = LDAPTestUtils.addLDAPUser(ldapProvider, appRealm, "johnrolemapper", "John", "RoleMapper", "johnrolemapper@email.org", null, "1234");
+            LDAPTestUtils.updateLDAPPassword(ldapProvider, john, "Password1");
+            LDAPTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY);
+            UserStorageSyncManager usersSyncManager = new UserStorageSyncManager();
+            SynchronizationResult syncResult = usersSyncManager.syncChangedUsers(session.getKeycloakSessionFactory(), appRealm.getId(), new UserStorageProviderModel(ldapModel));
+            syncResult.getAdded();
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+        session = keycloakRule.startSession();
+        try {
+            // make sure user is cached.
+            RealmModel appRealm = session.realms().getRealmByName("test");
+            UserModel johnRoleMapper = session.users().getUserByUsername("johnrolemapper", appRealm);
+            Assert.assertNotNull(johnRoleMapper);
+            Assert.assertEquals(0, johnRoleMapper.getRealmRoleMappings().size());
+
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+        session = keycloakRule.startSession();
+        try {
+            RealmModel appRealm = session.realms().getRealmByName("test");
+            // Add some role mappings directly in LDAP
+            LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
+            ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ldapModel, "realmRolesMapper");
+            RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
+
+            LDAPObject johnLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "johnrolemapper");
+            roleMapper.addRoleMappingInLDAP("realmRole1", johnLdap);
+            roleMapper.addRoleMappingInLDAP("realmRole2", johnLdap);
+
+            // Get user and check that he has requested roles from LDAP
+            UserModel johnRoleMapper = session.users().getUserByUsername("johnrolemapper", appRealm);
+            RoleModel realmRole1 = appRealm.getRole("realmRole1");
+            RoleModel realmRole2 = appRealm.getRole("realmRole2");
+
+            Set<RoleModel> johnRoles = johnRoleMapper.getRealmRoleMappings();
+            Assert.assertFalse(johnRoles.contains(realmRole1));
+            Assert.assertFalse(johnRoles.contains(realmRole2));
+
+
+
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+        session = keycloakRule.startSession();
+        try {
+            RealmModel appRealm = session.realms().getRealmByName("test");
+            // Add some role mappings directly in LDAP
+            LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
+            ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ldapModel, "realmRolesMapper");
+            RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
+
+            LDAPObject johnLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "johnrolemapper");
+            roleMapper.addRoleMappingInLDAP("realmRole1", johnLdap);
+            roleMapper.addRoleMappingInLDAP("realmRole2", johnLdap);
+
+            UserStorageSyncManager usersSyncManager = new UserStorageSyncManager();
+            SynchronizationResult syncResult = usersSyncManager.syncChangedUsers(session.getKeycloakSessionFactory(), appRealm.getId(), new UserStorageProviderModel(ldapModel));
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+        session = keycloakRule.startSession();
+        try {
+            RealmModel appRealm = session.realms().getRealmByName("test");
+            // Get user and check that he has requested roles from LDAP
+            UserModel johnRoleMapper = session.users().getUserByUsername("johnrolemapper", appRealm);
+            RoleModel realmRole1 = appRealm.getRole("realmRole1");
+            RoleModel realmRole2 = appRealm.getRole("realmRole2");
+
+            Set<RoleModel> johnRoles = johnRoleMapper.getRealmRoleMappings();
+            Assert.assertTrue(johnRoles.contains(realmRole1));
+            Assert.assertTrue(johnRoles.contains(realmRole2));
+
+
+
+        } finally {
+            keycloakRule.stopSession(session, true);
+        }
+
+    }
+
 }

From 92245e3fc848e5ed8a6a46ac585b9cca9958813a Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Fri, 20 Oct 2017 09:55:37 -0400
Subject: [PATCH 2/2] fixes

---
 .../keycloak/models/cache/infinispan/RealmCacheManager.java | 2 ++
 .../testsuite/federation/storage/UserStorageTest.java       | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheManager.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheManager.java
index 44308c3693..ed562ac790 100755
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheManager.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheManager.java
@@ -73,6 +73,8 @@ public class RealmCacheManager extends CacheManager {
     }
 
     public void groupQueriesInvalidations(String realmId, Set<String> invalidations) {
+        invalidations.add(RealmCacheSession.getGroupsQueryCacheKey(realmId));
+        invalidations.add(RealmCacheSession.getTopGroupsQueryCacheKey(realmId));
         addInvalidations(GroupListPredicate.create().realm(realmId), invalidations);
     }
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java
index be6aab23e4..c3a341b190 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/UserStorageTest.java
@@ -385,6 +385,12 @@ public class UserStorageTest extends AbstractAuthTest {
         testRealmResource().components().component(propProviderRWId).update(propProviderRW);
 
         // now
+        testingClient.server().run(session -> {
+            RealmModel realm = session.realms().getRealmByName("test");
+            UserModel user = session.users().getUserByUsername("thor", realm);
+        });
+
+        // run twice to make sure its in cache.
         testingClient.server().run(session -> {
             RealmModel realm = session.realms().getRealmByName("test");
             UserModel user = session.users().getUserByUsername("thor", realm);